Towards Understanding the Robustness of Diffusion-Based Purification: A Stochastic Perspective

Diffusion-Based Purification (DBP) has emerged as an effective defense mechanism against adversarial attacks. The success of DBP is often attributed to the forward diffusion process, which reduces the distribution gap between clean and adversarial images by adding Gaussian noise. While this explanation is theoretically sound, the exact role of this mechanism in enhancing robustness remains unclear. In this paper, through empirical analysis, we propose that the intrinsic stochasticity in the DBP process is the primary factor driving robustness. To test this hypothesis, we introduce a novel Deterministic White-Box (DW-box) setting to assess robustness in the absence of stochasticity, and we analyze attack trajectories and loss landscapes. Our results suggest that DBP models primarily rely on stochasticity to avoid effective attack directions, while their ability to purify adversarial perturbations may be limited. To further enhance the robustness of DBP models, we propose Adversarial Denoising Diffusion Training (ADDT), which incorporates classifier-guided adversarial perturbations into the diffusion training process, thereby strengthening the models' ability to purify adversarial perturbations. Additionally, we propose Rank-Based Gaussian Mapping (RBGM) to improve the compatibility of perturbations with diffusion models. Experimental results validate the effectiveness of ADDT. In conclusion, our study suggests that future research on DBP can benefit from a clearer distinction between stochasticity-driven and purification-driven robustness. Recently, diffusion-based purification (DBP) (Nie et al., 2022) has emerged as a promising defense against adversarial attacks. Existing studies suggest that DBP robustness primarily stems from the forward diffusion process, which reduces the distribution gap between clean and adversarial images by applying Gaussian noise (Nie et al., 2022; Wang et al., 2022) . While this reduction is theoretically supported, its contribution to DBP robustness has not been sufficiently * Equal contribution, † Corresponding author. 1 Published as a conference paper at ICLR 2025 validated through empirical studies. Additionally, experimental results suggest that the stochastic nature of DBP might also play a significant role in enhancing its robustness (Nie et al., 2022) . In this paper, we present a new perspective that emphasizes the role of stochasticity throughout the DBP process as a key contributor to its robustness, challenging the traditional focus on the forward diffusion process. To assess the impact of stochasticity, we propose a Deterministic White-box (DW-box) attack setting, in which the attacker has complete knowledge of both the model parameters and the stochastic elements. Our findings reveal that DBP models experience a significant loss of robustness when the process is made entirely deterministic from the attacker's perspective. Further analysis of attack trajectories and the loss landscape shows that DBP models do not defend against adversarial perturbations by relying on a flat loss landscape, as is common in adversarial training (AT) (Madry et al., 2018) ; instead, they leverage stochasticity to bypass the most effective attack directions, as illustrated in Figure 1 . Building on this new perspective of DBP robustness, we hypothesize that strengthening the diffusion model's ability to purify adversarial perturbations could further improve the robustness. To test this hypothesis, we propose Adversarial Denoising Diffusion Training (ADDT) for DBP models. This method follows an iterative two-step process: first, the Classifier-Guided Perturbation Optimization (CGPO) step generates adversarial perturbations; then, the diffusion model training step updates the parameters of the diffusion model using these perturbations. To better integrate these perturbations into the diffusion framework, we propose Rank-Based Gaussian Mapping (RBGM), which adjusts the adversarial perturbations to more closely resemble Gaussian noise, in line with the theoretical foundation of diffusion models. Experiments confirm that ADDT consistently enhances the robustness of DBP models. Through further empirical analysis and discussion, we argue that future research on DBP should separate the robustness derived from stochasticity and that achieved through purification. This distinction points to two complementary directions for improving DBP: (1) enhancing its ability to purify adversarial perturbations through efficient training methods, and (2) defending against Expectation over Transformation (EoT) attacks (Athalye et al., 2018b) by increasing the variance of attack gradients. Our main contributions are as follows: • We offer a novel perspective on DBP robustness, highlighting the crucial role of stochasticity while challenging the conventional, purification-based view that robustness primarily arises from distribution gap reduction during the forward diffusion process. • We introduce a new Determini